457416 - TM: Crash @ js3250.dll!nanojit::LirBufWriter::insFar(nanojit::LOpcode op=LIR_tramp, nanojit::LIns * target=0xb5884100) Line 401 + 0x3 bytes

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect)

Description

[IlkkaP]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b1pre) Gecko/20080926033937 Minefield/3.1b1pre (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b1pre) Gecko/20080926033937 Minefield/3.1b1pre (.NET CLR 3.5.30729)

I enabled both jit options from about:config.
From there on, Minefield crashes just after login to facebook.

Reproducible: Always

Steps to Reproduce:
1. Enable both jit options
2. Login to facebook
3.
Actual Results:  
Crash

Expected Results:  
No crash

Call stack:

>	js3250.dll!nanojit::LirBufWriter::insFar(nanojit::LOpcode op=LIR_tramp, nanojit::LIns * target=0xb5884100)  Line 401 + 0x3 bytes	C++
 	js3250.dll!nanojit::LirBufWriter::ensureReferenceable(nanojit::LIns * i=0x00000018, int addedDistance=3)  Line 265	C++
 	js3250.dll!nanojit::LirBufWriter::insCall(unsigned int fid=46, nanojit::LIns * * args=0x0022eab0)  Line 968 + 0x14 bytes	C++
 	js3250.dll!nanojit::CseFilter::insCall(unsigned int fid=46, nanojit::LIns * * args=0x0022eab0)  Line 1801 + 0xc bytes	C++
 	js3250.dll!FuncFilter::insCall(unsigned int fid=44, nanojit::LIns * * args=0x0022eadc)  Line 684	C++
 	js3250.dll!TraceRecorder::record_JSOP_GETELEM()  Line 4638	C++
 	js3250.dll!js_Interpret(JSContext * cx=0x03e9c600)  + 0x47956 bytes	C++
 	js3250.dll!js_Invoke(JSContext * cx=0x03e9c600, unsigned int argc=1, long * vp=0x05cac314, unsigned int flags=0)  Line 1324 + 0xa bytes	C++
 	js3250.dll!js_fun_apply(JSContext * cx=0x03e9c600, unsigned int argc=1, long * vp=0x05cac2fc)  Line 1732	C++
 	js3250.dll!js_Interpret(JSContext * cx=)  Line 4986	C++
 	js3250.dll!js_LookupPropertyWithFlags(JSContext * cx=0x05c509e0, JSObject * obj=0x05c50260, long id=1, unsigned int flags=1, JSObject * * objp=0x00000016, JSProperty * * propp=0x05ce3464)  Line 3395	C++
 	js3250.dll!6e23ec8f() 	
 	js3250.dll!6e23ecd7()

Comment 1

[thewolf86]

Confirmed:

http://crash-stats.mozilla.com/report/index/d060d31e-8de8-11dd-be37-001a4bd43ed6

Comment 2

[bhearsum@mozilla.com (:bhearsum)]

I'm hitting this too http://crash-stats.mozilla.com/report/index/e374e642-8efa-11dd-a502-001a4bd43ed6?p=1.

URL: http://blog.mozilla.com/bhearsum/wp-admin/post-new.php (sorry, can't give out credentials.)

Build: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b1pre) Gecko/20080929020507 Minefield/3.1b1pre ID:20080929020507

Comment 3

[Wladimir Palant]

I got this issue reported in my forum, supposedly it only happens when Adblock Plus is enabled (meaning that a JS content policy is installed). I could reproduce it in the current nightly:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080930093007 Minefield/3.1b1pre

URL: http://www.blogger.com/comment.g?blogID=19336675&postID=1727342678535742344

Crash: http://crash-stats.mozilla.com/report/index/f874b033-8f80-11dd-8fa1-001cc45a2c28

Comment 4

[Andreas Gal :gal]

I think david is working on this. David, can you look at the stack traces and then dup this one?

Comment 5

[thewolf86]

After the latest nightly update it seems to be working for me. Guess this was a duplicate? No crashes... yet.

Comment 6

[David Anderson [:dvander] - inactive, e-mail if emergency]

Indeed, I can't reproduce this.  There was a crash bug related to the information in these crash reports, but it was fixed two days ago.

If anyone else still gets this problem with the latest nightly please re-open or post back.